The relevant section in the Fraud Act states that in order to be false, the representation must be misleading and the person who makes it must be aware it is misleading.

This legislation applies to internet crimes through the representation being “submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention).”

Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.

Reporting the crime

UK

In the UK, when a crime has taken place it should be reported to the police, so Alex should immediately report it at the local police station.

A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK’s investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.

There is also an alternative reporting body for internet-enabled crime: Action Fraud.

Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.

USA

The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).

Two Federal LEAs have a remit to investigate some computer crimes:

The Federal Bureau of Investigation (FBI)

The United States Secret Service (USSS)

In this case the crime should be reported at the FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.

Canada

The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.

Alex should report the phishing to his local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.

Australia

Alex should report the crime to the Australian State or Territory Police.

Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.

Preserving the evidence

Alex should preserve the original email as evidence. He should also inform his email service provider that he has reported the incident to the authorities.

Remediation

Alex should inform his bank of the phishing as soon as possible. It may prevent any fraudulent transfers and provide useful evidence to the bank of so-called ‘money mule’ accounts, which relay money while obscuring the true identity of the cybercriminal.

Alex should change his bank password immediately, and any other account he owns which uses the same password. He should make sure that this time each account has a different (and hard-to-crack) password.

In future, Alex should be cautious of any unexpected emails which ask him to log in to an account, even if they look like they are genuine.

He should also always keep his anti-virus signatures up to date, and make sure his operating system and applications remain patched.

Conclusion

In general, it’s important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.

If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.

The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.

We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.

All of the scenarios are made up and the characters depicted bear no resemblance to any person.

Post navigation

About the author

Bob Burls is a UK-based IT Security consultant who has extensive experience in Computer Incident Response, the investigation of malicious code and other aspects of internet abuse following over a decade of serving as a Detective on the Metropolitan Police Computer Crime Unit, the NHTCU and the PCeU.

2 comments on “How to report a computer crime: Phishing attack”

It's not made clear here, is the act of sending a phishing email a crime? I receive a couple each week (mostly German Paypal warnings, oddly), but aside from forwarding them to spoof@paypal.com, should I be reporting them as crimes?